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Abstract 

Using a call-by-value functional language as an example, this article illustrates the 
use of coinductive definitions and proofs in big-step operational semantics, enabling 
it to describe diverging evaluations in addition to terminating evaluations. We for- 
malize the connections between the coinductive big-step semantics and the standard 
small-step semantics, proving that both semantics are equivalent. We then study 
the use of coinductive big-step semantics in proofs of type soundness and proofs 
of semantic preservation for compilers. A methodological originality of this paper 
is that all results have been proved using the Coq proof assistant. We explain the 
proof-theoretic presentation of coinductive definitions and proofs offered by Coq, 
and show that it facilitates the discovery and the presentation of the results. 

Key words: Coinduction, Operational semantics, Big-step semantics. Natural 
semantics. Small-step semantics, Reduction semantics. Type soundness, Compiler 
correctness. Mechanized proofs, The Coq proof assistant 



1 Introduction 



There exist two widely-used styles of operational semantics: big-step seman- 
tics, popularized by Kahn [1] under the name natural semantics, relates pro- 
grams to the final results of their evaluations; small-step semantics, popu- 
larized by Plotkin [2,3] under the name structural operational semantics, re- 
peatedly applies a one-step reduction relation to form reduction sequences. 
Small-step semantics is more expressive since it can describe the evaluation 
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of both terminating and non-terminating programs, as finite or infinite re- 
duction sequences, respectively. In contrast, big-step semantics describes only 
the evaluation of terminating programs, and fails to distinguish between non- 
terminating programs and programs that "go wrong" . For this reason, small- 
step semantics is generally preferred, in particular for proving the soundness 
of type systems. 

However, big-step semantics is more convenient than small-step semantics for 
some applications. One that is dear to our heart is proving the correctness 
(preservation of program behaviours) of program transformations, especially 
compilation of a high-level programming language down to a lower-level lan- 
guage. The first author's experience and that of others [4,5,6] is that fairly 
complex, optimizing compilation passes can be proved correct (for terminating 
source programs) relatively easily using big-step semantics and inductions on 
the structure of big-step evaluation derivations. In contrast, compiler correct- 
ness proofs using small-step semantics can address both terminating and di- 
verging source programs, but are more difficult even for simple, non-optimizing 
compilation schemes [7]. 

In this article, we illustrate how coinductive definitions and proofs enable big- 
step semantics to describe both terminating and diverging evaluations. The 
target of our study is a simple call-by-value functional language. We study 
two approaches: the first, initially proposed by Cousot and Cousot [8], com- 
plements the normal inductive big-step evaluation rules for terminating eval- 
uations with coinductive big-step rules describing diverging evaluations; the 
second simply interprets coinductively the normal big-step evaluation rules, 
thus enabling them to describe both terminating and non-terminating evalu- 
ations. These semantics are defined in sections 3 and 7, respectively. 

The main technical results of this article are of two kinds. First, we prove 
that the coinductive big-step definition of divergence is equivalent to the more 
familiar definitions using either small-step semantics (section 4) or a simple 
form of denotational semantics (section 5). We also extend these equivalence 
results to trace semantics (section 6). Then, we study two applications of the 
big-step definition of divergence: a novel approach to stating and proving the 
soundness of type systems (section 8), and proofs of semantic preservation for 
compilation down to an abstract machine (section 9). 

An originality of this article is that all results were not only proved using 
a proof assistant (the Coq system), but even developed in interaction with 
this tool, and only then transcribed to standard mathematical notations. The 
Coq proof assistant [9,10] provides built-in support for coinductive definitions 
and proofs by coinduction. This support follows a proof-theoretic approach to 
induction and coinduction that we present in section 2 and relate with the 
standard approach using fixed points. The proof-theoretic approach leads to 
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proofs by coinduction that arc simpler than the standard arguments based 
on F-consistent relations [11,12]. Our use of Coq has therefore been doubly 
beneficial: it facilitated the discovery and presentation of the results in this 
article, while at the same time generating strong confidence in them. 



2 Induction and coinduction: A proof-theoretic approach 

Following the classical presentation of Aczel [13], an inference system over a 
set U of judgments is a set of inference rules. An inference rule is an ordered 

pair [A. c), where c G W is the conclusion of the rule and A'^IA is the set of 
its premises or antecedents. A rule is usually written as follows: 

A 

c 

The intuitive interpretation of this rule is that the judgment c can be inferred 
from the set of judgments A. 

2.1 Fixed-point approach 

One way to give meaning to an inference system is to consider the fixed points 
of the associated inference operator. If $ is an inference system over lA, we 
define the operator F$ : pilA) — > piU) as 

F^{S) = {c e W I 3^ c 5, {A, c) e 

In other terms, is the set of judgments that can be inferred in one step 

from the judgments in S by using the inference rules. 

A set 5* is said to be closed if Fq,{S) C S*, and consistent if S* C F$(S'). A closed 
set S is such that no new judgments can be inferred from S. A consistent set S 
is such that all judgments that cannot be inferred from S are not in S. 

The inference operator is monotone: F,^{S) C F$(S") if S* C S' . By Tarski's 
fixed point theorem for complete lattices [14, p. 286], it follows that the in- 
ference operator possesses both a least fixed point and a greatest fixed point, 
which are the smallest F$-closed set and the largest F$-consistent set, respec- 
tively. 

lfp(F$) = n {S\F^{S)<ZS} 
gfp(F^) = U {S\S<ZF^{S)} 
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The least fixed point lfp(F$) is the inductive interpretation of the inference 
system $. and the greatest fixed point gfp(-F$) is its coinductive interpretation. 
These interpretations lead to the following two proof principles: 

• Induction principle: to prove that all judgments in the inductive interpre- 
tation belong to a set S, show that S is F$-closed. 

• Coinduction principle: to prove that all judgments in a set S belong to the 
coinductive interpretation, show that S is F$-consistent. 

2.2 Proof-theoretic approach 

In contrast with the fixed point approach, the proof-theoretic approach starts 
from the proofs admissible in an inference system. These proofs naturally 
correspond to derivations, also called proof trees. These are trees whose nodes 
are labeled with judgments c E U and such that for all nodes n, the label c 
of n and the labels A of the children of n correspond to an inference rule: 
{A, c) e The conclusion of a derivation is the label of its root node. 

A derivation d is well-founded if it has no infinite branch; d is ill-founded oth- 
erwise. If every rule in $ has a finite set of premises, well-founded derivations 
are finite while ill-founded derivations are infinite. 

In the proof-theoretic approach, the inductive interpretation of the inference 
system $ is the set A($) of conclusions of well-founded derivations, while the 
coinductive interpretation is the set V($) of conclusions of arbitrary deriva- 
tions (ill-founded or well-founded). These interpretations come with the fol- 
lowing proof principles: 

• Induction principle: to prove that all judgments in the inductive interpre- 
tation belong to a set S, proceed by structural induction over well-founded 
derivations. That is, show that c G 5 if c is the conclusion of a derivation d, 
assuming that j E S for all conclusions j of the strict sub derivations of d. 

• Coinduction principle: to prove that all judgments in a set S are in the 
coinductive interpretation, build a system of recursive equations between 
derivations, with unknowns {xj)j^s- Each equation is of the form 



and must be justified by an inference rule: ({ji, j2, ■ ■ ■}, j) £ ^- These equa- 
tions are guarded, meaning that there are no trivial equations Xj = Xji. It 
follows that the system has a unique solution [15], and this solution a is 
such that for all j G S, cr^Xj) is a valid derivation that proves j. Therefore, 
all j e S are also in V($). 
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2.3 Equivalence between the two approaches 

The following theorem shows that the interpretations defined using fixed 
points and using derivations coincide. 

Theorem 1 For all inference systems lfp(F$) = A($) and gfp(F$) = 
V($). 

Proof. It is easy to show that A($) is F$-closed and that V($) is 
consistent. Therefore, lfp(F$) C A($) and V($) C gfp(F$). 

Consider a F$-closed set S. A structural induction over well-founded deriva- 
tions d shows that the conclusion of d is in S. Therefore, A($) C S. Since 
lfp(F$) is F$-closed, the inclusion A($) C lfp(F$) follows. 

Finally, consider a F$-consistent set S. For any judgment j in S, there exists 
a rule {Kj,j) in $, where Kj C S. We define a system of guarded recursive 
equations, with variables {xj)j^s- 



The solution a of this system is such that for all j G S, the derivation (j{xj) is 
valid in $ and proves j. Therefore, S C V($). Since gfp(F$) is F$-consistent, 
the inclusion gfp(F$) C V($) follows. □ 

The equality lfp(F$) = A($) is proved by Aczel [13]. The equality gfp(-F$) = 
V($) is proved in the second author's PhD dissertation [16, p. 77], but to our 
knowledge there is no other published proof. This is, however, a well-known 
result. For instance, it has recently been used to extend logic programming 
with coinductive terms and derivations [17]. 

2.4 Induction and coinduction in the Coq proof assistant 

The Coq proof assistant that we use to develop the present work follows the 
proof-theoretic formulation of induction and coinduction. In accordance with 
the propositions-as-types, proofs-as-programs paradigm, inference systems are 
presented as inductively or coinductively-defined predicates, resembling data 
type definitions in ML or Haskell. Such a predicate is defined by a set of 
constructors, corresponding to inference rules. Applied to terms representing 
proofs for its premises, a constructor returns a proof term for its conclusion. 

Proofs by induction and by coinduction are both represented as recursive 
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functions. For a proof by induction, the Coq type system demands that the 
recursive function be structural: the arguments to recursive calls are strict 
subterms of the recursive parameter. For a proof by coinduction, the Coq 
type system demands that the recursive function be productive: its result is 
a constructor application, and the results of recursive calls are only used as 
arguments to this constructor. Such productive recursive functions correspond 
closely to the systems of guarded equations used above. 

While proof terms can be provided explicitly by the user, most of the time 
they are built incrementally by the Coq proof assistant in response to tactics 
entered by the user. When using tactics, proofs by coinduction are as easy to 
conduct as proofs by induction: in response to the cof ix tactic, the system 
provides the expected result as an additional hypothesis, then makes sure 
that this hypothesis is only used in positions permitted by productive recursive 
functions. (See [18] and [10, chap. 13] for more details, and the proof of lemma 5 
below for a concrete example.) The proof sketches we give in the remainder of 
this article are written in the same proof style, and play fast and loose with 
coinduction. In particular, except for the very first proofs, we do not exhibit 
F$-consistent sets nor systems of guarded equations between derivations. The 
skeptical reader is referred to the corresponding Coq development [19] for full 
details. 

Coq is based on a constructive logic (the Calculus of Constructions), but proofs 
in classical logic can be expressed in Coq by adding axioms that are known 
to be consistent with Coq's logic. The majority of our proofs are constructive, 
but some use the axiom of excluded middle. The proofs that use this axiom 
are marked "(classical)". 



3 The language and its big-step semantics 

The language we consider in this article is the A-calculus extended with con- 
stants: the simplest functional language that exhibits run-time errors (terms 
that "go wrong"). Its syntax is as follows: 

Variables: x,y,z, . . . 

Constants: c ::— | 1 | . . . 

Terms: a,b,v ::— x \ c \ Xx.a | a b 

We write a[x ^ b] for the capture-avoiding substitution"*^ of b for all free 
occurrences of x in a. We say that a term f is a value, and write v G Values, 

^ The Coq development does not treat terms modulo a-conversion, therefore the 
substitution a[x ^ b] can capture variables. However, it is capture-avoiding if b is 
closed, and this suffices to define evaluation and reduction of closed source terms. 
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if V is either a constant c or an abstraction Xx.b. 



The standard call-by-value semantics in big-step style for this language is 
defined by the inductive interpretation of the following inference rules. They 
define the relation a v (read: "a evaluates to v"). 

c ^ c (^-const) Xx.a ^ Xx.a (=^-fun) 

oi =^ Xx.b 02 ^ V2 b[x <— V2] ^ V 

(^-app) 

Oi 02 ^ V 

Lemma 2 If a ^ v, then v e Values. 

Proof. Induction on a derivation of a =^ i^. □ 

Lemma 3 The =^ relation is deterministic: if a =^ v and a =^ v', then v = v' . 

Proof. By induction on the derivation oi a =^ v and case analysis over that 
of a =^ v'. □ 

The rules above capture only terminating evaluations. Writing 5 — Xx. x x 
and uj — 5 5,we have for instance: 

Lemma 4, uj ^ v is false for all terms v. 

Proof. We show that v implies a 7^ a; by induction on the derivation of 
a^v. □ 

Following Cousot and Cousot [8] and the second author's PhD work [16], we 
define divergence (infinite evaluations) by the coinductive interpretation^ of 
the following inference rules. They define the relation a ^ (read: "a di- 
verges" ) . 



^=^= (=^-app-l) ^^^^=^^^^= (=^-app-rj 



o-i 02 ^ 0^1 O2 

ai =^ Xx.b a2 ^ V b[x ^ 

oi 02 =^ 



(^-app-f) 



Note that we have imposed (arbitrarily) a left-to-right evaluation order for 
applications. 



^ Throughout this article, double horizontal lines in inference rules denote inference 
rules that are to be interpreted coinductively; single horizontal lines denote the 
inductive interpretation. 
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Lemma 5 a; ^ holds. 

Proof. The proof is by coinduction. Assume ^ as coinduction hypothesis. 
We can derive cu ^ with rule (^-app-f), using the coinduction hypothesis as 
third premise. 

Since this is the first proof by coinduction in this article, we now detail the 
proof sketch given above using the various approaches outlined in section 2. 

Greatest fixed point. Consider the inference operator F associated with the 
rules defining namely 

F{S) = {ai a2 I ai e S} 

U {fli 02 I 3f , Oi ^ V A 02 E S} 

U {oi 02 I 3x, b, V, oi =^ Xx.b A02 ^ v A b[x <— v] & S} 

The set = {a;} is F-consistent. Indeed, to e F{{u;}) by the third fine of the 
definition of F. Therefore, S C gfp(F), implying that u; ^ holds. 

Systems of guarded recursive equations. Consider the following equation with 
unknown d {a. derivation): 

S =^ Xx. XX S ^ S d 

d^ 

5 5^ 

Since (,T x)[x ^ 6] = 6 6, this equation is justified by rule (^-app-f). More- 
over, it is guarded. Therefore, its solution is a valid derivation that proves 
S S ^ . It follows that this judgment holds. 

Coq proof term. Consider the Coq proof term evalinf _omega defined by the 
following corecursion: 

CoFixpoint evalinf _omega : evalinf omega := 
let eval_delta : eval delta delta := 

eval_f un x (App (Var x) (Var x) ) in 
evalinf _app_f delta delta x (App (Var x) (Var x)) delta 

eval_delta 

eval_delta 

evalinf _omega. 

The two constructor functions eval_fun and evalinf _app_f correspond to 
the inference rules (=r-fun) and (^-app-f), respectively. They receive as argu- 
ments instantiations for the free variables of the rules {x and a for (^-fun); Oi, 
02, X, b, V for (^-app-f)), followed by proof terms for their premises (proofs 
of 6 ^ S, S ^ S and uj ^ for (^-app-f)). The term evalinf _omega has type 
evalinf omega, which proves that this proposition representing a; ^ is true. 
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Coq proof script. The following commented sequence of tactics builds the proof 
term above in an interactive manner. 



Lemma evalinf _omega: evalinf omega. 
Proof . 

cofix COINDHYP. 

Prepare a proof by coinduction. The current goal u) ^ 

becomes an hypothesis named COINDHYP 
unfold omega, eapply evalinf _app_f . 

Apply the constructor for rule ^-app-f 
unfold delta, apply eval_fun. 

Prove the first premise ( evaluation of 5) 
unfold delta, apply eval_fun. 

Prove the second premise ( evaluation of 5) 
simpl. fold delta, fold omega. 

Replace [x x)[x ^ S\ by uj. 
apply COINDHYP. 

Prove the third premise by invoking the coinduction hypothesis. 

Qed. 

□ 

Lemma 6 a ^ v and a ^ are mutually exclusive. 

Proof. By induction on the derivation oi a ^ v, case analysis on that of 
a ^ , and lemma 3. □ 

Programs that neither evaluate nor diverge according to the rules above are 
said to "go wrong". For instance, the program goes wrong since neither 
=^ v nor 0^ hold for any v. 



4 Relation with small-step semantics 



The one-step reduction relation is defined by the call-by-value /9-reduction 
axiom plus two context rules for reducing under applications, assuming left- 
to-right evaluation order. 

V e Values 



{Xx.a) V — >• a[x <— v] 



oi — > 02 a e Values hi — > 62 

(— >-app-l) (— >-app-r) 

oi 6 — > a2 6 a hi ^ a b2 
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Lemma 7 The — > relation is deterministic: if a ^ a' and a — > a", then 



a' = a". 



Proof. By induction on the derivation of a — > a' and case analysis over that 
of a ^ a". □ 

There are three kinds of reduction sequences of interest. The first, written 
a —>■ b {'^a reduces to b in zero, one or several steps"), is the standard reflexive 
transitive closure of — >; it captures finite reductions. The second, written a 
("a reduces infinitely"), captures infinite reductions. The third, written b 
("a reduces to b in zero, one, several or infinitely many steps"), is the coin- 
ductive interpretation of the rules for refiexive transitive closure; it captures 
both finite and infinite reductions. These relations are defined by the following 
rules, interpreted inductively for A and coinductively for and 

* CO* 

a — > a a ^ a 

11*1 / / II CO* 7 



OO CO* 

a — > a — > 



It is true that is the union of — > and in the following sense. 
Lemma 8 a'^ b if and only if a ^ b or a ^ . 

Proof (classical). For the "if" part, we show that a ^ b =^ a ^ 6 by 
induction on a A 6, and that a ^ =^ a ^ 6 by coinduction. For the "only 
if" part, we show that a ^ 6 A -i (a A 6) =^ a A by coinduction. The result 
follows by excluded middle over a A 6. □ 

We now turn to relating the reduction relations (small-step) and the evaluation 
relations (big-step). It is well known that normal evaluation is equivalent to 
finite reduction to a value. 

Theorem 9 a =^ v if and only if a ^ v and v e Values. 

Proof. The "only if" part is an easy induction on a ^ v. For the "if" part, 
we first show the following two lemmas: (1) v ^ v iiv e Values, and (2) a v 
if a ^ 6 and b ^ v. The result follows by induction on the proof of a A i). □ 

Similarly, divergence (^) is equivalent to infinite reduction (A). The proof 
uses the following lemma. 

Lemma 10 For all terms a, either a , or there exists b such that a b 
and b y^, that is, V6', -i(6 b'). 

Proof (classical). We first show that V6, a A 6 =^ 3b' , b ^ b' implies 
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a ^ by coinduction. We then argue by excluded middle on a — > . □ 
Theorem 11 a ^ if and only if a —>■ . 

Proof (classical). For the "only if" part, we first show that a ^ implies 
3b, a ^ b A b ^ by structural induction on a, then conclude by coinduction. 
For the "if" part, we proceed by coinduction and case analysis over a. The 
only non-trivial case is a = ai 02- Using lemma 10, we distinguish three cases: 
(1) Oi reduces infinitely; (2) oi reduces to a value but 02 reduces infinitely; 
(3) Oi and 0,2 reduce to values Xx.b and v respectively, and b[x ^ v] reduces 
infinitely. We conclude a ^ by applying the appropriate inference rule for 
each case, the coinduction hypothesis for the ^ premise, and theorem 9 for 
the => premises. □ 



5 Relation with denotational semantics 



Denotational semantics is an alternate way to characterize divergent and con- 
vergent terms. In this section, we develop a simple denotational semantics for 
call-by-value A-calculus and prove that it captures the same notions of con- 
vergence and divergence as our big-step operational semantics. To facilitate 
the mechanization of these results in the Coq theorem prover, we adopt an 
elementary presentation of the denotational semantics that does not require 
the full generality of Scott domains. 

We define the computation C„(a) of a term a at maximal recursion depth 
n e W by recursion over n, as follows. 



Co{a) 


= ± 




= err 


Cn+l (c) 


— c 


Cn+i(Ax.a) 


— Xx.a 


C„+i(ai 02) 


= C„(ai 



C„(a2) > {v2 ^ 
if Vi — Xx.b then Cn{b[x <— V2]) else err)) 

The monadic composition operator > used in the application case is defined 

by 

_L I> / = ± err > f — err v > f — f{v). 

The result of C„(a), or in other terms the outcome of executing a at depth n, 
is one of the following three possibilities: (1) a value v, denoting normal termi- 
nation with V as final value; (2) the symbol err, denoting abrupt termination 
on a run-time error (such as encountering a free variable or an application of a 
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constant); (3) the symbol ±, indicating that the computation cannot complete 
within n recursive steps. 

The flat ordering < over results is defined by ± < r and r < r for all r. The 
C function is monotone with respect to this ordering: 

Lemma 12 If n <m, then C„(a) < Cm{a)- 

Proof. By induction over n and case analysis over a. □ 

We say that a term a executes with result r, or in other terms that r is the 
denotation of a, and we write P(a, r), if Cn{a) — r for almost all n: 

T>(a,r) =^ 3p, Vn, n>p =^ C„(a) = r. 

Since C is monotone, the following properties hold trivially: 

Lemma 13 IfV{a,r), then for all n, either Cn{a) = _L orC„(a) = r. 

Lemma 14 If r ^ 1. and C„(a) = r for some n, then T>{a, r). 

Lemma 15 T>{a, _L) if and only if Cn{a) = _L for all n. 

It follows that every term has one and exactly one denotation. 

Lemma 16 For all terms a, there exists a result r such that V{a,r). 

Proof (classical). By excluded middle, either Vn, C„(a) = _L or 3n, C„(a) ^ 
_L. In the former case, we obviously have D(a, _L). In the latter case, pick n 
such that Cn{a) ^ _L and take r = C„(a). By lemma 14, we have Via^r). □ 

Lemma 17 IfT>{a,ri) andV{a,r2), then ri — r2. 

Proof. Notice that ri = Cn{a) = r2 for sufficiently large n. □ 

We now relate this dcnotational semantics with the big-step operational se- 
mantics of section 3, starting with the terminating case. 

Theorem 18 a v if and only ifT>(a,v). 

Proof. For the "if" part, we show that C„(a) = v implies a ^ f by in- 
duction over n and case analysis over a and over the results of the recursive 
computations. The case a — x contradicts the hypothesis C„(a) = v. For the 
cases a = c or a = Xx.b, we have v = a hy definition of C and the result 
follows by rules (^-const) or (^-fun). Finally, if a = ai 02, the exploitation 
of the hypothesis Cn{a) = v leads to C„_i(ai) = \x.h and C„_i(a2) = V2 and 
Cn-i{b[x ^ V2]) = V. The result follows from the induction hypothesis and 
rule (=^-app). 
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For the "only if" part, we proceed by induction over the derivation of a ^ v 
and exhibit an n such that C„(a) = v. From this, V^a, v) follows by lemma 14. 
The cases where a is a constant or a function are trivial, since Ci{a) = v 
in these cases. For the application case a — ai 02, the induction hypothesis 
leads to Cmiai) — Ax. 6 and Cn2(a2) = ^2 and C„3(6[x <— V2\) — v for some 
ni,n2,ns- Taking n = 1 + max(ni, n2, ns), we have C„(a) — v by definition 
and monotonicity of C, and the result follows. □ 

Theorem 19 a ^ if and only if'D{a, _L). 

Proof. For the "only if" part, we show that a ^ implies C„(a) = _L by 
induction over n and case analysis on the last rule used in the derivation of 
a ^ . In all three cases, a — ai 02. If oi ^ , C„(a) = C„_i(ai) = ± by 
induction hypothesis. If ai =^ vi and a2 ^ , we have ^^{ajVi) by theorem 18. 
By induction hypothesis, C„_i(a2) = -L. By lemma 13, either C„_i(ai) = ± or 
Cn-i(ai) = Vi. In both cases, C„(a) = _L. The third and last case (ai =^ Xx.b 
and a2 =^ V2 and b[x <— ^2] ^ ) is similar. 

The "if" part is proved by coinduction and case analysis over a. The cases a — 
X, a = c and a = Xx.b trivially contradict the hypothesis V{a, _L). Therefore, 
it must be the case that a = ai 02. Let ri and r2 be the denotations of Oi and 
02. (They exist by lemma 16.) We argue by case over ri and r2, exploiting the 
definition of C for sufficiently large values of n. There are only three cases that 
do not contradict the hypothesis T>(a, ±): (1) ri = ±; (2) ri is a value Vi and 
r2 = -L; (3) r-i is a value Xx.b and r2 is a value V2 and 'D{b[x <— V2\,-i-)- We 
conclude a ^ by applying the appropriate inference rule for each case, the 
coinduction hypothesis for the ^ premise, and theorem 18 for the =^ premises. 

□ 



6 Extension to trace semantics 

Besides expressing both terminating and diverging executions, small-step se- 
mantics have another advantage over big-step semantics: reduction sequences 
contain all intermediate reducts of the source term in addition to its final value, 
therefore providing a complete trace of the execution. Such execution traces 
are useful both for static analysis (by abstract interpretation of collecting se- 
mantics) and to state and prove stronger semantic preservation properties for 
program transformations. In particular, when the input language is impera- 
tive and features observable actions such as input/output, traces of observable 
events are crucial to state and prove observational equivalence results. 

In this section, following the second author's work [16], we show how to extend 
the big-step semantics of section 3 so that they produce not only the outcome 
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of an evaluation (final value or divergence) , but also a (possibly infinite) exe- 
cution trace. 

6. 1 Traces 

The traces we consider are finite or infinite sequences of terms representing 
the intermediate reducts of the source program. 

Finite traces: t ::= e \ a.t (inductive interpretation) 
Infinite traces: T ::= a.T (coinductive interpretation) 

By abuse of notation, we write t.t' and t.T for the concatenation of a finite 
trace t and a finite or infinite trace. Concatenation is associative and e is a 
neutral element for concatenation. 

If i = ai.a2 . . . fln is a finite trace, we define the left application t 6 of this trace 
to a term b and the right application v t of a, value v to this trace as follows: 

t b={ai b).{a2 b) . . . {an b) 
V t^{v ai).{v 02) . . . {v an) 

We similarly define the apphcations T b and v T where T is an infinite trace. 

We define bisimilarity between infinite traces, written Ti = T2, by the following 
coinductive rule: 

Ti ^T2 
a.Ti = a.T2 

Concatenation and application of traces are compatible with bisimilarity. 

In set theory, bisimilarity is equivalent to equality. In Coq's constructive logic, 
bisimilarity is coarser than equality: there exists infinite traces that are bisim- 
ilar but cannot be proved equal [10, chap. 13]. Some of the following results 
require the use of bisimilarity instead of equality in definitions and statements, 
in order to be provable in Coq. 

6.2 Small-step semantics with traces 

While our objective is to instrument big-step semantics to produce execution 
traces, we start by doing this for the small-step semantics, which is easier and 
helps us define precisely the traces we expect for an execution. For a finite 
reduction sequence Oi — > 02 — > • • • — > a„_i — > a„, the expected (finite) trace 
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is t = ai.a2 . . . dn-i, that is, the initial term and its intermediate reducts but 
not the final term. Equivalently, the trace comprises the source terms for all 
reduction steps performed in the sequence. This is formalized by the following 
rules for the predicate a A a' / 1 (read: "a reduces in zero, one or several steps 
to a' with trace t" ) . 

a ^ a' a' b / t 

a ^ a / e 

a ^ b / a.t 

For an infinite reduction sequence ai . . . a„ — . . ., the expected (infinite) 
trace is T = oi . . . a„ . . . This is captured by the following coinductive rule 
defining the predicate a ^ / T (read: "a reduces infinitely with trace T"). 

a^h IT 



/a.T 

It is intuitively clear that the small-step semantics with traces is a refinement 
of that without traces. We now formalize this intuition, which is not obvious 
to prove constructively in the case of infinite reductions. 

Lemma 20 a ^ b if and only if3t, a ^ b / t. 

Proof. Straightforward by induction over the reduction sequences a A 6 and 
a^b/t. □ 

Lemma 21 a A if and only if 3T, a / T. 

Proof. The "if" part is an easy proof by coinduction. The "only if" part 
is more involved: since the conclusion 3T, a A / T is not a coinductively- 
defined predicate, we cannot reason directly by coinduction. Instead, we must 
construct explicitly a suitable infinite trace T. To this end, we first define a 
reduction function TZ from terms to optional terms that is equivalent to the 
one-step reduction predicate, that is 



n{a) 



J Some (6), if a — >• 6; 
1 None, if a -f^. 



This function is total (by induction over a), therefore proving that one-step 
reduction is decidable. Next, to every term a we associate an infinite trace T(a) 
of all the successive reducts of a. This trace is defined, by guarded corecursion, 
as 

a.T(6), if 7^(a) = Some(6); 
a.T(a), if TZ(a) = None. 

We then show that a implies a A / T(a). This follows by coinduction 
from the fact that T(a) = a.T{b) whenever a ^ b. □ 



Tw = {; 
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As a corollary, we obtain the following analogue of lemma 10. 

Lemma 22 For all terms a, either there exist a term b and a trace t such 
that a ^ b / t and b -f^, or there exists an infinite trace T such that a ^ / T. 

Proof (classical). Follows from lemmas 10, 20 and 21. □ 

Additionally, the trace-based reduction relations are deterministic up to bisim- 
ilarity between infinite traces. This is an immediate consequence of the deter- 
minism of one-step reductions (lemma 7). 

Lemma 23 If a ^ Vi / ti and a ^ V2 / ^2; then ti = t2 and Vi = V2. 
Lemma 24 If a ^ / Ti and a ^ / T2, then Ti ^ Ta. 

Note that the stronger conclusion Ti — T2 is not provable in Coq. Another 
consequence of the determinism of one-step reductions is the following obvious 
decomposition property for infinite reductions. 

Lemma 25 If a / T and a ^ b / 1, there exists T' such that b ^ / T' and 
T = t.T. 



6.3 Big-step semantics with traces 

We now add traces to the big-step definitions of evaluation and divergence. 
The corresponding predicates are a ^ v / 1 ("a evaluates to v with finite trace 
f ) and a ^ / T {''a diverges with infinite trace T" ) . 

c / e (=^-const) Xx.a ^ Xx.a / e (^-fun) 

Qi =^ Xx.b / ti a2 ^ V2 / t2 b[x ^ V2\ ^ V / ts 

t = {ti a2).{{Xx.b) t2).{{Xx.b) V2).t3 (^-app) 

ai a2 ^ V / t 

ai ^ / Ti T^Tia2 
^^^^=^^^^= (^-app-1) 
ai 02 ^ / T 

ai^v/ti a2^ /T2 {ti a2).{vT2) 

^^^^^^^^^=^^^^^^^^^= (^-app-r) 

Ol 02 =^ / i 

oi =^ Xx.b / ti 02 =^ V2 / t2 b[x ^ V2] ^ / T-i 

T = ih «,).((A:r.?>) f.).((A:r.?>) r^.T, (^-app-f) 

ai 02 ^ / T 
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The construction of the trace in the rules for apphcations is justified as follows. 
Assume, for instance, ai =^ Xx.b / ti and 02 =^ ^2 / ^2- The application Oi a2 
performs one /3-reduction (Xx.b) V2 —>■ b[x <— V2] in addition to those coming 
from the evaluations of the premises of the rule. The source term for this 
reduction, (Xx.b) V2, is therefore added to the trace. It is preceded by ti 02 
(the trace for a-i put into a left application context [] 02) and by (Xx.b) t2 (the 
trace for a2 put into a right application context (Xx.b) []). The source of the 
/9-reduction is then followed by the trace corresponding to the evaluation of 
the function body 6[a; <— ^2]- 

Another point to note is the use of bisimilarity T = . . . instead of equality 
T = . . . in the coinductive rules defining This allows traces to be replaced 
by bisimilar traces at every inference step, therefore enabling us to prove 
more statements about ^ within the hmits of Coq's coinductive proofs. (For 
instance, the proof of theorem 31 no longer goes through if ^ is defined with 
equalities between traces instead of bisimilarities.) This subtle point is moot 
in set theory, where bisimilarity is equivalent to equality. 

Lemma 26 a; ^ / T holds where T is the infinite trace cu.cu.u! . . . 

Proof. By coinduction, using rule (^-app-f). □ 

6.4 Equivalence between the trace semantics 

We now show the equivalence between the big-step and small-step semantics 
with traces, extending the results of section 4. 

Theorem 27 a ^ v / t if and only if a ^ v / t and v e Values. 

Proof. The "only if" part is an easy induction on the derivation of a => v / 1. 
For the "if" part, we first show the following two lemmas: {1) v ^ v / e if 
V G Values, and (2) a ^ v / a.t if a ^ b and b =^ v / t. The result follows by 
induction on the derivation of a ^ v / t. □ 

Theorem 28 a ^ /T implies /T. 

Proof. We first show by induction on a that a ^ / T implies the existence 
of b and T' such that a ^ 6 and 6 ^ / T' and T ^ a.T'. We then define the 

following variant of the infinite reduction predicate, by the coinductive 
inference rule 

a^b b^ /T' T^a.T' 
IT 

This variant enables us to replace the infinite trace T by a bisimilar one at 
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every proof step, while remaining within the subset of proofs that Coq accepts 
as productively coinductive. We can therefore show that a ^ / T implies 
a — '-^ / T by coinduction, using the decomposition property stated earlier. 

We conclude by proving that a / T implies a ^ /T, again by coinduction. 

□ 

As a corollary of theorem 28, the big-step divergence relation ^ is determin- 
istic up to bisimilarity of the traces. It is interesting to note that we could not 
find a more direct Coq proof of this fact. 

Lemma 29 If a ^ / Ti and a ^ / T2, then Ti ^ Ts. 

Proof. Follows from lemma 24 and theorem 28. □ 

The converse of theorem 28 relies on the following inversion lemma for infinite 
reduction sequences starting with an application. 

Lemma 30 Assume ah ^ / T. 

(1) Ifa^ /r, theuT^r b. 

(2) Ifae Values andb^ / T' , then T = a T' . 

(3) If a ^ a' / 1, then there exists T' such that a' b / T' and T = {t b).T' . 

(4) If a E Values and b ^ b' / t, then there exists T' such that a b' ^ / T' 
andT^ {a t).T'. 

Proof. For (1) and (2), we show by coinduction that a b / T' b and 
a b ^ / a T' , respectively, then conclude by lemma 24. 

Property (3) follows from the decomposition lemma 25 and the fact that 
a b ^ a' b / t b whenever a ^ a' / t. Similarly, property (4) follows from 
the decomposition lemma 25 and the fact that a b ^ a b' / a t ii a E Values 
and b^b' /t. □ 

Theorem 31 a ^ / T implies a ^ / T. 

Proof (classical) . The proof proceeds by coinduction and case analysis over 
a. It must be the case that a — ai a2, otherwise a cannot reduce infinitely. 
Using lemma 22, we distinguish three cases: 

(1) Oi ^ / Ti. This implies Oi ^ / Ti by coinduction hypothesis. Moreover, 
we have T = Ti 02 by case (1) of lemma 30, which imphes the expected 
result by rule (^-app-1). 

(2) Oi f / ti and v and a2 —> / T2. By case (3) of lemma 30, we have 

V a2 —> / T' for some T' such that T = (fi 02). T'. This implies that 

V G Values. Moreover, T' = v T2 by case (2) of lemma 30. Theorem 27 
gives ai =^ V / 1 and the coinduction hypothesis gives 02 ^ T2. The result 
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follows from rule (^-app-r). 
(3) Oi f 1 / ti and vi and a2 V2 / ^2 and V2 -f^. Using cases (3) and (4) 
of lemma 30, it follows that v\ = Xx.b for some x. h. that V2 G Values, and 
that {Xx.b) V2 ^ / T' for some T' such that T = [ti 02). ((Ax. 6) t2)-T'. 
By inversion, we deduce b[x ^2] / ^3 for some T3 such that 
T' = {{Xx.b) V2).T3. The result follows by rule (^-app-f), the coinduction 
hypothesis, and theorem 27. 

□ 



7 Coevaluation 

7. 1 Definition and properties 

So far, we have described terminating and non-terminating evaluations using 
two separate sets of inference rules, one interpreted inductively and the other 
coinductively. An attempt to describe both kinds of evaluations at the same 
time, in a more concise way, is to interpret coinductively the standard evalu- 
ation rules for terminating evaluations. This defines the relation a ^ b (read: 
"a coevaluates to 6"). 

c ^ c (^-const) Xx.a ^ Xx.a (^-fun) 

oi ^ Xx.b 02 =^ V2 b[x 1)2] =^ V 

(^-app) 

oi 02 =1- v 

It is clear from the definition of ^ that coevaluation includes all terminating 
evaluations, plus some diverging ones. 

Lemma 32 If a ^ v, then a ^ v. 

Proof. By induction on the derivation of a ^ i^. □ 
Lemma 33 cv ^ v for all terms v. 

Proof. By coinduction, using rule (^-app) with the coinduction hypothesis 
as third premise. □ 

Naively, we could expect that ^ is equivalent to the union of the ^ and ^ 
relations. This equivalence holds in one direction only, from coevaluation to 
evaluation. 

Lemma 34 If a ^ v, then either a=^ v or a ^ . 
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Proof (classical). We show that a ^ v and -i(a =^ v) imphes a ^ . The 
result then follows by excluded middle on a ^ v. The auxiliary property is 
proved by coinduction and case analysis on a. The cases for variables, constants 
and abstractions trivially contradict one of the hypotheses. If a = Oi 02, an 
inversion on the hypothesis a ^ v shows that ai ^ Xx.b and 02 =^ V2 and 
b[x <— ^ V. Using excluded middle, it must be that at least one of these 
three terms does not evaluate, otherwise, a ^ v would hold. The result follows 
by applying the rule for ^ that matches the term that does not evaluate, and 
using the coinduction hypothesis. □ 

However, the reverse implication from evaluation to coevaluation does not 
hold: there exists terms that diverge but do not coevaluate. Consider for in- 
stance a = a; (0 0). It is true that a ^ , but there is no term v such that 
a ^ V, because the coevaluation of the argument goes wrong (there is no 
V such that ^ v). Section 8.2 shows another example of a diverging term 
that does not coevaluate, this time involving no subterm that goes wrong. 

Another unusual feature of coevaluation is that it is not deterministic. For 
instance, cu ^ v ior any term v. However, ^ is deterministic for terminating 
terms, in the following sense: 

Lemma 35 If a ^ v and a ^ v', then v' = v. 

Proof. By induction on the derivation oi a ^ v and inversion on a V . □ 

Moreover, there exists diverging terms that coevaluate to only one value. An 
example is (Ax.O) u, which coevaluates to but not to any other term. 

7.2 Connection with small-step semantics 

Concerning the connections between coevaluation (big-step) and coreduction 
(small-step) in the style of section 4, the expected equivalence between ^ and 
^ holds in one direction only. 

Lemma 36 a ^ v implies a — > v. 

Proof. Using classical logic, this follows from lemmas 34 and equivalence 
theorems 9, 11 and 8. However, the result can be proved directly in constructive 
logic. We first show that a ^ v =^ a e Values V 36, a^bAb^vhy 
induction on a. The result follows by coinduction. □ 

The reverse implication obviously does not hold for terms a that diverge but 
do not coevaluate, such as the term a = a; (0 0) mentioned previously: if a ^ , 
we have a ^ and therefore a ^ ^; for any v, but a ^ v does not hold. Another 
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counterexample to the reverse implication is a = (Ax. 0) uj and v = \. Since 
a , we have a ^ v. However, a ^ v does not hold since the only term to 
which a coevaluates is 0. 



7.3 Coevaluation for CPS terms 

Notwithstanding the negative results of sections 7.1 and 7.2, there exists a 
class of terms for which coevaluation correctly captures both terminating and 
diverging evaluations: terms that are in continuation-passing style (CPS). A 
distinguishing feature of these terms is that function arguments are always 
values. CPS terms are defined by the following grammar: 

a e Atoms ::= x \ c \ Xx.b 
b e CPS-terms ::= a \ b a 

Less formally, CPS terms are built from atoms (variables, constants and func- 
tion abstractions) using multiple applications in tail-call position. 

It is well known that CPS terms are stable by substitution of atoms for vari- 
ables. 

Lemma 37 If a e Atoms and b e CPS-terms, then b[x <— a] G CPS-terms. 
Consequently, the value of a CPS term is an atom. 

Lemma 38 If b G CPS-terms and b ^ v, then v G Atoms. As a corollary, if 
b e CPS-terms and b =^ Xx.b', then b' G CPS-terms. 

Proof. By induction on the derivation of 6 =^ using lemma 37 for the 
application case. □ 

The main result of this section is that a closed CPS term coevaluates to a 
value if and only if it evaluates or it diverges. The restriction to closed terms 
is important since, for instance, the CPS term uj x diverges but its coevaluation 
goes wrong on the free variable x. 

The following lemma lists useful properties of CPS atoms. 
Lemma 39 Let a G Atoms. 

(1) a ^ a if a is closed. 

(2) It is not the case that a ^ . 

(3) If a=^ V, then v — a. 
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The key technical lemma below shows that diverging, closed CPS terms co- 
evaluate to a well-chosen value. 

Lemma 40 Define fl — Xx.uj. IfbE CPS-terms, b is closed and b ^ , then 

b^n. 

Proof. By coinduction. The CPS term b cannot be an atom (this would con- 
tradict the divergence hypothesis) , therefore b — b' a with 6' a closed CPS term 
and a a closed CPS atom. Analysis on the last rule used in the derivation of 
b ^ reveals three cases. In the first case, h' ^ . By coinduction hypothe- 
sis, b' ^ Vl = Xx.uj. By lemmas 39 and 32, a ^ a. Finally, uj[x ^ a] = uj 
coevaluates to VL by lemma 33. Applying rule (^-app), it follows that b ^ VL. 

The second case, a ^ , is impossible by lemma 39. This leaves the third 
case: b' =^ Xx.b" and a =^ v and b"[x v] ^ . By lemma 38, b" is a CPS 
term. By lemma 39, v = a and therefore f is a CPS atom. It follows that 
b"[x v] is a CPS term (lemma 37). Moreover, this term is closed because of 
the usual properties of free variables w.r.t. evaluation and substitution. Using 
lemma 32 and the coinduction hypothesis, we obtain b' ^ Xx.b" and a ^ v 
and b"[x ^ v\^Q,, from which b ^ Q, follows by rule (^-app). □ 

The claimed equivalence result follows as a corollary. 

Theorem 41 Let b be a closed CPS term. We have 3v,b ^ v if and only if 
b ^ or 3v, b ^ V. 

Proof. Follows from lemmas 32, 34 and 40. □ 



8 Type soundness proofs 

We now turn to using our coinductive evaluation and reduction relations for 
proving the soundness of type systems. To be more specific, we will use the 
simply-typed A-calculus with recursive types as our type system. We obtain 
recursive types by interpreting the type algebra r ::— int | Ti — > T2 coin- 
ductively, as in [12]. The typing rules are recalled below. Type environments, 
written E, are finite maps from variables to types. 

E{x) = T 

I- c : int 

x:t 

E + {x:t'}^ a-.T E\- ai-.r' E \- a2 : r' 

E h Xx.a : t' ^ T E \- ai a2 : t 
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Enabling recursive types makes the type system non- normalizing and makes it 
possible to write interesting programs. In particular, the call-by-value fixpoint 
operator Y = A/. {Xx. f {x x)) {Xx. f (Ay. {x x) y)) is well-typed, with types 
{{t ^ t') ^ T ^ t') ^ T ^ t' for all types r and r'. (The self- applications 
x X are well-typed under the assumption x : a, where the recursive type a is 
defined by the equation cr = cr — > r — > r'.) 

8. 1 Type soundness proofs using small-step semantics 

Wright and Felleisen [20] introduced a proof technique for showing type sound- 
ness that relies on small-step semantics and is standard nowadays. The proof 
relies on the twin properties of type preservation (also called subject reduction) 
and progress: 

Lemma 42 (Preservation) If a ^ b and h a : then h 6 : r 

Lemma 43 (Progress) If a : t, then either a e Values or there exists b 
such that a ^ b. 

The formal statement of type soundness in Felleisen and Wright's approach is 
the following: 

Theorem 44 (Type soundness, 1) // h a : r and a ^ b, then either 
b e Values or b reduces. 

Proof. We first show that h 6 : r by induction over a A 6, using the 
preservation lemma. We then conclude with the progress lemma. □ 

The authors that follow this approach then conclude that well-typed closed 
terms either reduce to a value or reduce infinitely. However, this conclusion is 
generally neither expressed nor proved formally. In our approach, it is easy to 
do so: 

Theorem 45 (Type soundness, 2) //0 h a : r, then either a ^ , or there 
exists V such that a —>■ v and v e Values. 

Proof (cleissical) . By lemma 10, either a or 3b, a A 6 A 6 />. The 
result is obvious in the first case. In the second case, we note that h fe : r 
as a consequence of the preservation lemma, then use the progress lemma to 
conclude that b G Values. □ 

An alternate, equivalent formulation of this theorem uses the coreduction re- 
lation 

Theorem 46 (Type soundness, 3) // h a : r, then there exists v such 
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that a ^ V and v E Values. 

Proof. Follows from theorem 45 and lemma 8. □ 

An arguably nicer characterisation of "programs that do not go wrong" is 
given by the relation a (read: "a reduces safely"), defined coinductively 
by the following rules: 



V e Values 



safe 



safe 



safe 



These rules are interpreted coinductively so that a — > holds if a reduces 
infinitely. We can then state and show type soundness without recourse to 
classical logic: 

Theorem 47 (Type soundness, 4) // h a : r, then a . 

Proof. By coinduction. Applying the progress lemma, either a G Values and 
wc arc done, or a — > 6 for some b. In the latter case, h 6 : r by the preservation 
property, and the result follows from the coinduction hypothesis. □ 



8.2 Type soundness proofs using big-step semantics 



The standard big-step semantics (defined by the relation) is awkward for 
proving type soundness because it does not distinguish between terms that 
diverge and terms that go wrong: in both cases, there is no value v such that 
a ^ V. Consequently, the obvious type soundness statement "if h a : r, there 
exists V such that a ^ f " is false for all type systems that do not guarantee 
normalization. The best result we can prove, then, is the following big-step 
equivalent to the preservation lemma: 

Lemma 48 (Preservation, big-step style) If a ^ v and h a : r, then 
h V : T. 

Proof. Easy induction on the derivation of a ^ v, using the fact that typing 
is stable by substitution: if {x : t'} \- a : t and h 6 : r', then h a[x <— 6] : r. 

□ 

The standard approach for proving type soundness using big-step semantics is 
to provide inductive inference rules to define a predicate a =^ err characterizing 
terms that go wrong because of a type error, and prove the statement "if 
h a : T, then it is not the case that a =^ err" [21]. This approach is not 
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fully satisfactory for two reasons: (1) extra rules must be provided to define 
a =^ err, which increases the size of the semantics; (2) there is a risk that the 
rules for a =^ err are incomplete and miss some cases of "going wrong", in 
which case the type soundness statement does not guarantee that well-typed 
terms either evaluate to a value or diverge. 

Let us revisit these trade-offs in the light of our characterizations of divergence 
and coevaluation. We can now formally state what it means for a term to 
evaluate or to diverge. This leads to the following alternate statement of type 
soundness: 

Theorem 49 (Type soundness, 5) // h a : r, then either a ^ or there 
exists V such that a=^ v. 

By excluded middle, either 3f . a ^ v oi Vf , -i(a ^ f ). Theorem 49 therefore 
follows from lemma 50 below, which is a big-step analogue to the progress 
lemma. 

Lemma 50 (Progress, big-step style) // h a : r and Vv, -i(a v), 
then a ^ . 

Proof (classical). The proof is by coinduction and case analysis over a. The 
cases a — X, a — c and a — Xx.b lead to contradictions: variables have no types 
in the empty environment; constants and abstractions evaluate to themselves. 
The interesting case is therefore a = ai 02- By excluded middle, either ai 
evaluates to some value vi, or not. In the latter case, a ^ follows from rule 
(^-app-1) and from oi ^ , which we obtain by coinduction hypothesis. In 
the former case, vi has a function type r' — > r by lemma 48, and therefore 
Vi = Xx.b for some x and b. Moreover, {x : r'} h 6 : r. Using excluded middle 
again, either 02 evaluates to some value V2, or not. In the latter 
follows from rule (^-app-r) and the coinduction hypothesis. In the former 
case, h i>2 : r'. Since typing is stable by substitution, h 6[x <— V2] : r. Using 
excluded middle for the third time, it must be that \/v. ^ ^2] =^ v), 

otherwise a would evaluate to some value. The result a =^ then follows from 
rule (^-app-f) and the coinduction hypothesis. □ 

The proof above is an original alternative to the standard approach of showing 
-i(a =^ err) for all well- typed terms a. From a methodological standpoint, our 
proof addresses one of the shortcomings of the standard approach, namely the 
risk of not putting in enough error rules. If we forget some divergence rules, 
the proof of lemma 50 will, in all likehhood, not go through. Therefore, this 
novel approach to proving type soundness using big-step semantics appears 
rather robust with respect to mistakes in the specification of the semantics. 

The other methodological shortcoming remains, however: just like the "not 
goes wrong" approach, our approach requires more evaluation rules than just 
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those for normal evaluations, namely the rules for divergence. This can easily 
double the size of the specification of a dynamic semantics, which is a concern 
for realistic languages where the normal evaluation rules number in dozens. 

The coevaluation relation ^ is attractive for this pragmatic reason, as it has 
the same number of rules as normal evaluation. Of course, we have seen that 
a ^ V is not equivalent to a ^ f V a ^ , but the example we gave was for a 
diverging term a that is not typeable and where an early diverging evaluation 
"hides" a later evaluation that goes wrong. Since type systems ensure that 
all subterms of a term do not go wrong, we could hope that the following 
conjecture holds: 

Conjecture 1 (Type soundness, 6) If $ \- a : r, there exists v such that 

CO 

a ^ V. 

We were able to prove this conjecture for some uninteresting but nonetheless 
non-normalizing type systems, such as simply-typed A-calculus without recur- 
sive types, but with a predefined constant of type int —>■ int that diverges 
when applied. However, the conjecture is false for simply-typed A-calculus 
with recursive types, and probably for all type systems with a general fixpoint 
operator. Andrzej Filinski provided the following counterexample. Consider 

Y F where F = Xf.Xx. {Xg.Xy. g y) (/ x) 

or, in more readable ML notation 

let rec f x = (let g = f x in fun y ~> g y) in f 

The term y F is well-typed with type r — > r', yet it fails to coevaluate: 
the only possible value v such that Y F Q ^ v would be an infinite term, 
Ay. {Xy. {Xy. . . . y) y) y. 



9 Compiler correctness proofs 



We now return to the original motivation of this work: proving that compilers 
preserve the semantics of source programs (including diverging ones), using 
big-step semantics. We demonstrate this approach on the compilation of call- 
by-value A-calculus down to a simple abstract machine. 



26 



9.1 Big-step semantics with environments and closures 



Our abstract machine uses closures and environments indexed by de Bruijn 
indices. It is therefore convenient to reformulate the big-step evaluation predi- 
cates in these terms. Variables, written arc now identified by their de Bruijn 
indices n. Values (which are no longer a subset of terms) and environments 
are defined as: 

Values: v ::= c integer values 

I (Aa)[e] function closures 
Environments: e ::= e\v.e sequences of values 

As in section 3, we define three evaluation relations by the inference rules 
given below. 

e \- a ^ V finite evaluations (inductive) 
e h a ^ infinite evaluations (coinductive) 
eh a ^ V coevaluations (coinductive) 



e = vi... V,, 



e\- c =^ c e\- Xa ^ 

6 \~ Xji Vji 

e h oi =^ (A6)[e'] e \- a2 ^ V2 V2-e' h b ^ v 
e\- Qi a2 ^ V 

ehai^ e \- ai ^ V eh a2 ^ 



e h oi 02 ^ e h oi 02 ^ 

e h oi =^ (A6)[e'] eh a2 ^ v v.e' h b ^ 
e h oi 02 ^ 

e = Vi. . .Vn - . . 



hc^c ehAo^ ( Ao) [e] 



6 h Xffi Vffi 

eh ai ^ (A6)[e'] e h 02 =^ ^2 V2.e' h b ^ v 
e h oi 02 

We will not formally study these relations, but note that they enjoy the same 
properties as the environment-less relations studied in section 3. 
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9.2 The abstract machine and its compilation scheme 



The abstract machine we use as target of compilation follows the call-by-value 

strategy and the "eval-apply" model [22]. It is close in spirit to the SECD, 
CAM, FAM and CEK machines [23,24,25,26]. The machine state has three 
components: a code sequence, a stack and an environment. The syntax for 
these components is as follows. 



Instructions: 


/ ::= 


Var(n) 


push the value of variable number n 






Const(c) 


push the constant c 






Clos(C) 


push a closure for code C 






App 


perform a function application 






Ret 


return to calling function 


Code: 


C ::= 


e 1 /,C 


instruction sequences 


Values: 


V ::= 




constant values 






C[E] 


code closures 


Environments: 


E ::= 


e 1 V.E 




Stacks: 


S ::= 


e 


empty stack 






V.S 


pushing a value 






iC E).S 


pushing a return frame 



The behaviour of the abstract machine is defined as a transition relation 
C;S;E^ C; S'; E' that relates the machine states (C; S] E) and (C; S'- E') 
respectively before and after the execution of the first instruction of the 
code C. The transitions are as follows. 



State before transition 


State after transition 


Code 


Stack 


Env. 


Code 


Stack 


Env. 


Var(n),C 


S 


E 


C 


Vn.S 


E ] 


Const (c),C 


s 


E 


C 


c.S 


E 




s 


E 


c 


C'[E].S 


E 


App,C 


V.C'[E'\.S 


E 


c 


(C,E).S 


V.E' 


Ret,C 


V.{C',E').S 


E 


c 


V.S 


E' 



28 



As in section 4, we consider the following closures of the one-step transition 
relation: 



C;S;E A C';S';E' zero, one or several transitions (inductive) 



C;S;E ^ C; S'; E' one or several transitions (inductive) 
C; S; E -A infinitely many transitions (coinductive) 

C;S;E ^ C"; 5"; E' zero, one, several or infinitely many 

transitions (coinductive) 



The compilation scheme from terms to code is straightforward: 



Ia:„] =Var(n) 

[c] = Const (c) 
|Aa] =Clos([a],Ret) 

[ai as] = |ai], |a2],App 

The intended effect for the code |a] is to evaluate the term a and push its 
value at the top of the machine stack, leaving the rest of the stack and the 
environment unchanged. 



9.3 Proofs of semantic preservation 



We expect the compilation to abstract machine code to preserve the behaviour 
of the source term, in the following general sense. Consider a closed term a and 
start the abstract machine in the initial state corresponding to a. If a diverges, 
the machine should perform infinitely many transitions. If a evaluates to the 
vahic the machine should reach a final state corresponding to w in a finite 
number of transitions. Here, the initial state corresponding to a is |a];e;e. 
The final state corresponding to the result value v is e; |f].e;e, that is, the 
code has been entirely consumed and the machine value [f] corresponding 
to the source-level value v is left on top of the stack. The correspondence 
between source-level values and machine values, as well as between source- 
level environments and machine environments, is defined by: 

14 = c l{Xa)[e]j = (H, Ret) [[el] ^ . . . t; J = {v,} . . . M 



Semantic preservation is easy to show for terminating terms a using the big- 
step semantics. We just need to strengthen the statement of preservation so 
that it lends itself to induction over the derivation oi e\- a ^ v. 

Theorem 51 If e h a ^ v, then (Ia],C); S; [e] A C; Ivj.S; [e] for all 
codes C and stacks S. 
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Proof. By induction on the derivation of e h a =^ v. The base cases where a 
is a variable, a constant or an abstraction are straightforward. The inductive 
case is a = ai a2 with e h oi =^ (A6)[e'] and 6 1-02=^^2 and V2.e' \- b ^ v. 
We build the following sequence of machine transitions: 

([ai|,|a2l,App,C); S; [e] 

(induction hypothesis applied to the evaluation of ai) 
^(Ia2l,App,C); K\b)[e']lS; [e] 

(induction hypothesis applied to the evaluation of 02) 
^(App,C); lv2U{me']lS- [e] 

(App transition, since |(A6)[e']] = Ret)[|e']]) 
^([61, Ret); (C, [e]).5; M.[e'] 

(induction hypothesis applied to the evaluation of b) 

^Ret; ivUC,l4)-S; N-M 
(Ret transition) 
^ C; M.S; [e] 

The result follows by transitivity of □ 

It is impossible, however, to prove semantic preservation for diverging terms 
using only the standard big-step semantics, since it does not describe diver- 
gence. This led several authors to prove semantic preservation for compilation 
to abstract machines using small-step semantics with explicit substitutions 
[27,7]. To this end, they prove a simulation result between machine tran- 
sitions and source-level reductions: every machine transition corresponds to 
zero or one source-level reductions. To make the correspondence precise, they 
need to define a decompilation relation that maps intermediate machine states 
back to source-level terms. However, decompilation relations are difficult to 
define, especially for optimizing compilation schemes; see [28, section 4.3] for 
an example. 

The coinductive big-step semantics studied in this article provide a simpler 

way to prove semantic preservation for non-terminating terms. Namely, the 
following two theorems hold, showing that compilation preserves divergence 
and coevaluation as characterized by the ^ and ^ predicates. 

Theorem 52 If e \- a ^ , then (|a],C); S; |e] for all codes C and 
stacks S. 

Theorem 5^ If e ^ a ^ v, then ([a],C); S] [e] 'A* C; ^.5; [e] for all 
codes C and stacks S. 

Both theorems cannot be proved directly by coinduction and case analysis 
over a. The problem is in the application case a = ai a2, where the code 
component of the initial machine state is of the form [ai], [02], App, C. It is 
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not possible to invoke the coinduction hypothesis to reason over the execu- 
tion of |ai], because this use of the coinduction hypothesis is not guarded 
by an inference rule for the relation, or in other terms because no ma- 
chine instruction is executed before invoking the hypothesis. In the approach 
to coinduction based on systems of equations presented in section 2.2, the 
problem manifests itself as a non-guarded equation Xj = xj' when j is the 
judgment ([oi 02], C); S; |e] —> associated with the state e \- ai a2 ^ v, 
C and while j' is the equivalent judgment ([ai], ([02!, App, C)); S] |e] 
associated with the state e h ai ^ ([02], App, C) and S. 

There are two ways to address this issue. The first is to modify the compilation 
scheme for applications, in order to insert a "no operation" instruction in 
front of the generated sequence: [ai 02] = Nop, [ai], [02]. The Nop operation 
has the obvious machine transition (Nop,C); S] E ^ C; S; E. With this 
modification, the coinductive proof for lemma 52 performs a Nop transition 
before invoking the coinduction hypothesis to deal with the evaluation of |ai] . 
This makes the coinductive proof properly guarded. 

Of course, it is inelegant to pepper the generated code with Nop instructions 
just to make one proof go through. We therefore use an alternate approach 
where the compilation scheme for applications is unchanged, but we exploit 
the fact that the number of STich recursive calls that do not perform a ma- 
chine transition is necessarily finite, because our term algebra is finite. More 
precisely, this number is the left application height ||a|| of the term a being 
compiled, where ||a|| is defined by 

||ai a2\\ = \\ai\\ + 1 \\x\\ = \\c\\ = \\Xa\\ = 



To prove theorem 52, we follow the approach described by Bertot [29] in his 
coinductive presentation and proof of Eratosthenes' sieve algorithm. We first 
define the coinductive relation where n is a nonnegative integer: 

n 



C: S: E 



C;S;E ^ 



-sleep) 



C;S;E^ C"; S'; E' C"; S'; E' ^ 

= (^-perform) 



C;S;E 



00 

n 



The relation — > is similar to but allows the abstract machine to remain in 

n 

the same state, not performing any transitions, for at most n steps (rule 
sleep). If n drops to zero, one or several transitions must be performed (rule 
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-^-perform). In exchange for performing at least one transition, the count 
n can be reset to any value n', allowing an arbitrary but finite number of 
non-transitions to be taken afterwards. 

A proof by coinduction shows the following variant of theorem 52, using —> 
with n equal to the left application height of the term under consideration. 

Lemma 54 Ifeha^, then ([a], C); S; |e] ^ 

ll«ll 

Proof. By coinduction and case analysis on the last rule used to derive e h 
a ^ . In the first case, a — ai a2 and e h oi ^ . Applying the coinduction 
hypothesis, we obtain (|ai], |a2], App, C); S; [e] ^ and the result follows by 



one application of rule (-^-sleep), noticing that ||a|| = ||ai|| + 1. 

In the second case, a = ai a2, e \- ai ^ v and e h a2 =^ . By lemma 51, 
we obtain ([ail, |a2],App,C); S; |e] ^ (|a2l,App,C); Ivij.S; {ej. Using the 
coinduction hypothesis, we also have ([02], App, C); [e] . The result 



follows by rule (^-perform). The third case of divergence is similar and we 
omit it. □ 

We then show the following implication between and 

n 

Lemma 55 IfC;S;E^, then C;S;E^ . 



Proof. We first show that C: S: E implies the existence of n' C' S' and 

n 

E' such that C; S; E ^ C; S'; E' and C"; 5"; E' ^ by Peano induction over n. 

n' 

The result then follows by coinduction. □ 

Theorem 52 then follows from lemmas 54 and 55. We omit the proof of theo- 
rem 53, which is similar. 



10 Related work 



There are few instances of coinductive definitions and proofs for big-step se- 
mantics in the literature. Cousot and Cousot [8] proposed the coinductive 
big-step characterization of divergence that we use in this article and studied 
its applicability for abstract interpretation, as pursued later by Schmidt [30]. 
This approach was applied to call-by-name A-calculus by Hughes and Moran 
[31] and by Crole [32], and to call-by- value A-calculus by Grail [16]. 

Following up on [8], Cousot and Cousot recently introduced bi-inductive se- 
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mantics and applied it to the call-by- value A-calculus [33]. Bi-inductive seman- 
tics are defined in terms of smallest fixed points with respect to a nonstandard 
ordering. This approach captures both terminating and diverging executions 
using a common set of inference rules. For instance, in the case of the call-by- 
value A-calculus, a single inference rule replaces the two rules (=^-app) and 
(=^-app-f ) of our presentation. It is not entirely clear yet how the bi-inductive 
approach could be mechanized in a proof assistant. Another difference with 
the present article is that Cousot and Cousot [33] start from a big-step trace 
semantics, then systematically derive the other semantics (big-step and small- 
step) by abstraction: this is an interesting alternative to our approach that 
separately deals with each semantics. 

Gunter and Remy [34] and Stoughton [35] have the same initial goal as us, 
namely describe both terminating and diverging computations with big-step 
semantics, but use increasing sequences of finite, incomplete derivations to do 
so, instead of infinite derivations. We do not know yet how their approach 
relates to our ^ and ^ relations. 

Milner and Tofte [11] and later Leroy and Rouaix [36] used coinduction in the 

context of big-step semantics for functional and imperative languages, not to 
describe diverging evaluations, but to capture safety properties over possibly 
cyclic memory stores. 

Of course, coinductive techniques are routinely used in the context of small- 
step semantics, especially for the labeled transition systems arising from pro- 
cess calculi. The fiavours of coinduction used there, especially proofs by bisim- 
ulations, are quite different from the present work. These techniques closely 
resemble the way coinduction can be used for defining the contextual equiva- 
lence in an operational setting [37] and the approximation order in the recur- 
sively defined domains involved in denotational semantics [38]. 

The infinitary A-calculus [39,40] studies diverging computations from a very 
different angle: not only the authors use reduction semantics, but their terms 
are also infinite, and they use topological techniques (metrics, convergence, 
etc) instead of coinduction. 



1 1 Conclusions 

We investigated two coinductive approaches to giving big-step semantics for 
non-terminating computations. The first, based on [8] and using separate eval- 
uation rules for terminating terms and diverging terms, appears very well- 
behaved: it corresponds exactly to finite and infinite reduction sequences, and 
lends itself well to type soundness proofs and to compiler correctness proofs. 
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The second approach, consisting in a coinductive interpretation of the stan- 
dard evaluation rules, is less satisfactory: while amenable to compiler correct- 
ness proofs as well, it captures only a subset of the diverging computations of 
interest — and it is not yet clear which subset exactly. 

To evaluate the applicability of the coinductive techniques presented here 
to languages other than small functional languages, we developed coinduc- 
tive big-step semantics for three low-level imperative languages used in the 
Compcert verified compiler [41]: the source language Chght (a large subset 
of the C language) and the two intermediate languages C#minor and Cmi- 
nor. These semantics characterize non-terminating programs and the traces 
of input/output events they perform. These semantics were used to mechan- 
ically prove that the first four passes of the Compcert compiler preserve the 
semantics of diverging programs. Some of the proofs use techniques similar to 
those presented in section 9.3 to combine co-inductive and inductive reason- 
ing. The results of this experiment are encouraging. In particular, the addition 
of coinductive rules for divergence increases the size of the semantics by 40% 
only. 
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